kumquat-buildroot/package/libpjsip/0002-Merge-pull-request-from-GHSA-cxwq-5g9x-x7fr.patch

From bc4812d31a67d5e2f973fbfaf950d6118226cf36 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Fri, 23 Dec 2022 15:05:28 +0800
Subject: [PATCH] Merge pull request from GHSA-cxwq-5g9x-x7fr

* Fixed heap buffer overflow when parsing STUN errcode attribute

* Also fixed uint parsing

[Retrieved from:
https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 pjnath/src/pjnath/stun_msg.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
index c6b0bdd284..b55d29849a 100644
--- a/pjnath/src/pjnath/stun_msg.c
+++ b/pjnath/src/pjnath/stun_msg.c
@@ -1438,12 +1438,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool,
     attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr);
     GETATTRHDR(buf, &attr->hdr);
 
-    attr->value = GETVAL32H(buf, 4);
-
     /* Check that the attribute length is valid */
     if (attr->hdr.length != 4)
         return PJNATH_ESTUNINATTRLEN;
 
+    attr->value = GETVAL32H(buf, 4);
+
     /* Done */
     *p_attr = attr;
 
@@ -1757,14 +1757,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool,
     attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr);
     GETATTRHDR(buf, &attr->hdr);
 
+    /* Check that the attribute length is valid */
+    if (attr->hdr.length < 4)
+        return PJNATH_ESTUNINATTRLEN;
+
     attr->err_code = buf[6] * 100 + buf[7];
 
     /* Get pointer to the string in the message */
     value.ptr = ((char*)buf + ATTR_HDR_LEN + 4);
     value.slen = attr->hdr.length - 4;
-    /* Make sure the length is never negative */
-    if (value.slen < 0)
-        value.slen = 0;
 
     /* Copy the string to the attribute */
     pj_strdup(pool, &attr->reason, &value);